Lucene search

K
openbugbountyG0bl1nsecOBB:1167964
HistoryMay 21, 2020 - 7:48 p.m.

2ndhome.net Cross Site Scripting vulnerability

2020-05-2119:48:00
g0bl1nsec
www.openbugbounty.org
5

Open Bug Bounty ID: OBB-1167964

Following coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has:

&nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence;
&nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence.

Affected Website: 2ndhome.net
Open Bug Bounty Program: Create your bounty program now. It’s open and free.
Vulnerable Application: Custom Code
Vulnerability Type: XSS (Cross Site Scripting) / CWE-79
CVSSv3 Score: 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N]
Disclosure Standard: Coordinated Disclosure based on ISO 29147 guidelines
Discovered and Reported by: g0bl1nsec
Remediation Guide: OWASP XSS Prevention Cheat Sheet
Export Vulnerability Data: Bugzilla Vulnerability Data
JIRA Vulnerability Data [ Configuration ]
Mantis Vulnerability Data
Splunk Vulnerability Data
XML Vulnerability Data [ XSD ]

Vulnerable URL:

![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAJiUlEQVR4nO3cb0gTbxwA8GtOXXpTx9xiOnOTmhJSUmISVhJisYZMGgRqWiTpi5CSBJOwZZGiKVQgvSnMF/UubEiMGCFDRpjJXMumhLll03TNP02dY26/F0fHcbs79yu3hX0/r/bcPc933+d5xr7ubnOH3+9HAAAAgBBgRToBAAAA2xbUGAAAAKECNQYAAECoQI0BAAAQKlBjAAAAhArUGAAAAKHyV9QYqVQ6OjpK1wRhAysPANhaka8xHz588Pl8Bw4coGyCsIGVBwBsuU1qjNVq5XK5lKeWlpZaW1vpmsHTaDQlJSV0zTCYn58vLy/n8/mpqalXr15dX18PfqzVauXxeAjjQv2FKDcr/CtPh5jeFi4sMVQwYUOUBgD/lN//HLO4uHj37l26ZvAiXmMqKys5HI7ZbNbr9SaT6caNG+F89oig3Ky/p8YQ00tPT3c4HFv+FMGEDUMaAGx77Mg+/czMzMTERGFhIWUzDFZWVgYGBhwOR3x8PIIgbW1tZWVlHR0dYUvgLxH+lQ9ebGzs3xA2RGkAsL0F9Tnm/v37UqmUz+efO3duaWkJQZClpSWJROJyuXbs2PH06VNis6uri8vldnR07Nq1i8fjVVVVra2t0UXWaDTFxcXR0dGkZmlpKf5GPzo6Ghsbiz0vgiA1NTV79+5lONvQ0MA8vKGhAU8gPj5+bW0NKzAIgng8npiYGOTXtZHOzk6pVMrj8crLy/EI3759O3nyJJfLzczMfPbsGfNCYVZWVmpqagQCQVpa2q1btzY2Nojx4+Pjz549++PHj4aGBoFAwOfzL1y4sLKygo1dX1+/ePEil8tNT0+/efPmxsYGaQ0ZUqUcS9o70spj0QK3Dzve2toqEAhEItHjx48p54X3pHwBBOYTGJaUHukiFeWM3r17d/ToUS6Xm5qaeubMmU+fPtG93kiLhjcDIzCkwbDgMzMzp0+f5nK5Uqm0s7MTu44KwL9s8xrjcrmMRqPBYBgaGrLb7Y2NjQiCJCYmWiwWFEXdbndFRQWxWVpa6nK5hoaGhoeHh4eHR0ZG2tvb6YLTXShTKBQ6nQ472N/f7/P5tFot1tTpdEqlkuGsXC5nHi6Xy+nyuXPnTmVlJT5xk8mETdxmszU1NWHHL1++nJCQMDY29urVK2KNoVwoTF1dnd1uHxkZ0Wq1Go2mu7sb7z84OGg0Gu12e1ZWlsPhMJlMb9++nZqawp+upaVldXXVZDJptVq9Xv/o0SPKPaJMlXIsae8CN4Ju+1wul8ViMZvNPT09BQUFdPNiiECZDyksZXo4yggKheL8+fM2m21wcLCgoIDD4dDtL53ACMxpMLw2YmJiPn/+rNPpent7/28aAGxDfkZTU1MIgiwvL2NNg8GQkZGBn0JRlNgTa2JDbDYbdvzFixe5ubnYY5vNJpFI8CEulwtFUafTGdi02+1xcXFut9vv9+fl5dXX15eVlWHBExISbDYbw1mPx8M83OPxUE5WrVYXFRV5vd7AiQ8ODmIT93q9HA6HOLukpCTmhfJ6vSiKTk5OYk2NRpOfn4/1X1xcxOOzWKzV1VV8+J49e7DHycnJLpcLe2w0GvPy8pj3CE+VYSxp74grT7d92HF8s+jmxRCBMp/AsKT0SKkGRnA6nWw2G9trZnRh6SLQ9Wd+beALgr82APiXbX4/BkVR/CpBSkqK0+ncdAiHw0lLS8MeZ2Vl2Ww2fLjBYMC7vX79Oi8vD7+eQGyKRCKZTGYwGPbt22e325ubm2Uy2cbGhk6nKyoqSktLYzgbHR3NPBy/NEf08uXL3t7eoaGhqKiowImLxWJs4nNzcwiCEGe36ULNzc15PB6pVIoPwd6kUBRNTEzE4yckJOzcuRMfjt1hXlhYcDgcEokEO+7z+dhsii2jTDXIsYEbQbd9KIoSL/7QzYsuAl0+pLAMKCPweDyVSpWfn3/ixImUlJTc3Nzjx49jHQQCAT52fn6eLixDBDp0rw2fz0dckGAmBcD2FtZ7/lFRUSKRCG8yf6NMLpfrdLrJyUmFQpGYmJiTk6PX6/ErXcxng+lA9PHjx9raWq1Wy+fzQzX53+J2u1ks1vDwMF4eWKxgvwoY/NjwfKOMMh+Px/OHERAEef78+fv3781ms91ur6+vP3LkyMOHDxEEMRqNQUamiwAA+EMh+Q2m2+3++vUr9nhiYmL37t2BfTY2Nvr7+/G3NlIT+XVLBn/7UyqVfX19AwMDWJFgPhtMB9zCwoJSqezq6grm54dCoRBBEOLsghkSExPz5csXrGmxWPC/xDclEoni4uKcTmfqL8QivSVjA1c+mO1jnhdlhD+Zy6YzOnToUFVV1fXr1588edLX14cdTCXYNDhlhP9FKBSyWCyr1Yo1LRbLbwQBYLthvpQWeNMFv8TscrnYbPbExASpiV0wUalU09PTZrM5JydHrVbjEfCr3nq9Pjs7Gz9OamKEQqFQKMSGTE9PJyQk5OTkBHl20w7Yca/XW1RUVFdX5yZgnrhSqSTODr8fQ9ff7/dXV1eXlJTYbDaz2Xzw4MEHDx4w9yc2a2tr8/PzsT+x29vbW1paSCvJEIpuLHHvSCtPt32kZ6GbF0MEynwowxLTI3UIjDA2Nnbq1Kk3b944HA6bzVZdXa1QKPxUlpeX2Wy2xWLxer3EsHQR6NJgWHCVSqVUKqempsxm8/79++F+DAC/X2P8fr9arY6Li+vp6SE2Ozs7URRta2sTCoVJSUmVlZX4rWxitGvXrjU1NeGhSE1MWVmZSqXCm7m5ucQ+zGeZO5C+oUC0ac2Ynp4uLi5GUVQmk927dy+YGuNyuS5dupScnCwWi9VqNek9LrA/sel2u69cuSIWi+Pi4uRyOXZLOci3PMqxGHzvSCuPRQvcPrpiQJoXQwTKfCjDEtMjdQiM4PF41Gq1TCaLiYkRCoUVFRWzs7OBATGNjY2BYRkiUKbBsOCzs7MKhQJFUYlE0tbWBjUGgB1+v39rPxhZrdbs7OyfP38yd8vMzOzt7T18+DBlE4QNaeWD3D4Gfx5hexgfHz927Nj3798jnQgAkRSx3/mPj48zNEHYwMqHiNFozMjIiHQWAERYhP+XDADbye3bt1NSUkpKSiYnJ5uampqbmyOdEQARFvn/7Q/AtlFYWNjd3S0WiysqKurq6qqqqiKdEQARtvX3YwAAAAAMfI4BAAAQKlBjAAAAhArUGAAAAKECNQYAAECoQI0BAAAQKlBjAAAAhArUGAAAAKECNQYAAECoQI0BAAAQKlBjAAAAhMp/0ZUis6AiNZYAAAAASUVORK5CYII=)

HTTP POST data:

![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAJJklEQVR4nO2cb0gTfxzH91unjnGBjfsdQ6QMYg9CTMJESEKGhIjIETIUhohIWNQYQyJ8EMMHV8jogUT4QKIHQk9Cwgfhg4gYEiEip8mwMcccY61YY8kRp42+vwfH77ju3263O/+Mz+tRd/t+vt/3+3Of7nP/6h+EkA0AAAAALMB+3AIAAACAmgV6DAAAAGAV0GMAAAAAq4AeAwAAAFgF9BgAAADAKqDHAAAAAFYBPabGuXjx4ubm5nGrAKxic3Pzzp07GgN+//49MjLy7ds3nRNCwQDmAj2mlvn8+fOfP3+uXLly3EIAqxgbG2tpadEYUFdXV19fPzU1pWc2KBjAdCrrMXt7e+fOneP//PPnz8ePHxuLtY5KVZlCWWuGVe3t7Z09e9aoLtvy8vLg4KDh8Io0lPUozHM0laC2ugbHUjyVIhb548ePra2tYDAo/HpwcDAyMiJxGgwG3717p2fyIyuYU5FqwBSM38cUi0Wapk2UYgqgSowpp4wLFy7k8/myw05m5gX0uDjhFnjEIlmWdTqdDQ0N/ObBwUFfX1+pVJKEuFwulmX1TH5kBXMqUg2YAjwrO9FgGObxeIzFfv36NR6P9/T0VC9DOItVg+ClGlPVYIqLk0wul+vt7Y1EIsbCT1rBADUCKkcmk7l58yaO4x6Ph6bpxsZGhFCxWBRmePnyZUWxCCGO48bHx3EcP3/+/KNHj0qlEkIolUrhOD47O0uSZGNj4+jo6K9fv/jxa2trXV1dDoeDIIihoaFMJiOMp2maIAi3272wsCBRxQ8QxKRSKV6APFBNUqVpUZQqz1WlawmsrKzoHzA/P+/z+YTNtbW17u5uHMebmppu3boVi8UQQqVS6eHDhyRJOp3OoaGhfD4vT444jWrHSO6xrFQDjnRaQEqHWHBRjQW1WMWKYln29u3bBEE0NzeHw2FxkUcikZaWFqfT6fP58vn81NQUQRAul2tsbIxlWf0iJRUuFqm9RzH54oIxXC3i5UyvFuA0Ur7HUBQ1NDSUTqcTiURra6twMt3Z2cFxnOM4jVOkWuz09PTw8HAymYzFYj09Pc+ePUMIpVIpm80mHh8Oh/nx8/PzL168KBaLuVwuGAxSFCWMHx0dzeVyKysrOzs7ElUaPUYeqCjJQFoUpUpypbYWIUOyqNvt9nq96+vrcj1ra2ter9ftdgt7+vv7FxcXhU2SJBcWFgqFQjKZfPr0aTKZRAjRNN3R0bG1tZXJZAKBQDQalSdH0mPUjpHEo4ZUw450WkBKh1h84jNsQS1WsaLGx8cHBgbS6fT29vbVq1fn5uaEkX6/P5PJxOPx7u5ugiDGxsay2Sx/DxEIBPSLNNxj5LlFfxeM4WpBf/cYc6sFOI2U6TGlUsnhcKTTaX5zaWlJOJmqXRzpiSUIgr9eQwgxDNPZ2Yn+r0jx+I6ODvm0iUSC/7vBjy8UCuJf5Rfd4p/EPUYSqCjJgDU1qWIlamtlZEgmZFmWpmmXy+Xz+eLxOL8zHo/7fD6Xy0XTtDAty7I4jgseC4UChmEcx0kmJElyY2NDvEeeHHmPUTxGEo+KUuXod6TfgraLaiyoxcqXK5VKOI7zp2aE0PLycldXlzCyWCzy+1dXV+12u3C//vHjx0uXLukXaaDHKOYW/V0w1VSLWakGaoYyPSabzTocDmEzFovp7zFqsYVCwWazCZfqLpeLJEl+Qsl4fj9CaGNjo7e3t6mpiR8vfuQlWVRnj5EEqkkykJayUitdS06hUKAoCsMwfhPDMIqihNMWz9LSktfrFe8ZHh5ub28PhUKRSOTDhw8IoWKxiGGY5DZU+wylcYwUD4dEajWO9FvQdlGNBbVYeWA2m62vrxc24/G44tWGUJOSTZ0iDfQYtdxKCsZwtSCTUg3UDMfwzp/jOLvdvr6+zjAMwzBbW1sMw2iHUBR148aNaDTKMMzbt29PgiQ1ykrVWOtfGfLw3d3de/fuRaPRmZkZfs/MzEw0Gr179+7u7q4wTP6B0KtXrxYWFtra2g4PD0Oh0P379/n9Z86cMea0LHKpOocpOjrJFk4RarmVFAykGjAN7RYkeSj05s0bw8/KxLE4jqs93xCP5++sv3//Lr60YRhG533M/v6+3W7f39/nN1dXVzUCFSVVak2nVLW1yj4rm5ycxHE8FArxb7YF8vl8MBjEcXxycpKXRxCE8KBGDsMwzc3NCCGSJBmGEf9U9j5G8RjJA9WkGnNUkQVtF9VYUIuVL6fxrEznfYwekcbex8hzq10wFVULMinVQM2g951/JpPZ3t5ub28X/kqwLIthmPbDU7XYycnJrq6u7e3tbDY7Ozs7MzODRG8IhfHCG0KSJJ8/f14sFuPxOEVRGq1Coqqzs3NiYiKXy/HvVzUCFSUZsKYoVaKq0rUE/H5/KpVS+zWVSvn9foRQNBptbW0V/xSLxfr6+t6/f5/P59Pp9MTExMDAAEKIpunOzk7+LS5/FamnxygeI4lHbamVOqrIAtLRY4xZUItVrKiJiYnBwUH5O3/9PaasyHQ6LX4YJXEqkEgk5O8LxbmVFEw11WJWqoGaobJvlyORiLhYw+Gw0+nU+e2yOJbjuGAw2Nzc7HQ6+/v7+QsovjSfPHki/3Y5Go12dHQ4HA632x0KhTRahURVIpHwer04jl++fHlubk4jUFGSgbQoSpWoqnStSpmampqenhbvOTw8DIfDHo+nvr6eJEm/35/L5RBCpVLpwYMHBEE4HA6KooSvUcWx8gtnxWOEdNRDNei3gMr1GMMW1GLVLnfUvl0WT6jWY/SI5DjO4XBIrvPkYl6/ft3W1qaRW0nBVFMtyKRUAzVD+R5zZJR9+AboxOPxfPr0yYqZa+AYVWPhyOzrXygQCEg+7pDAcVxLSwv/L1fUsKhgaqBagOrBju7ND3BUfPny5bglAEdEJBLR/j6loaFhcXHx+vXrGmOgYADrMKHHKH7+ZLPZkslkNf+f40mghq0BtUFdXd21a9e0x2g3GACwFBN6jNplVA2chWvYGgAAwBHwD0LouDUAAAAAtQn8v8sAAACAVUCPAQAAAKwCegwAAABgFdBjAAAAAKuAHgMAAABYBfQYAAAAwCqgxwAAAABWAT0GAAAAsAroMQAAAIBVQI8BAAAArOI/PsCSSikGPzQAAAAASUVORK5CYII=)

Screenshot: 2ndhome.net  vulnerability

Mirror: Click here to view the mirror

Coordinated Disclosure Timeline

Vulnerability Reported: 21 May, 2020 19:48 GMT
Vulnerability Verified: 21 May, 2020 20:02 GMT
Website Operator Notified: 21 May, 2020 20:02 GMT
a. Using the ISO 29147 guidelines
β€” β€”
b. Using publicly available security contacts
c. Using Open Bug Bounty notification framework
d. Using security contacts provided by the researcher
Public Report Published
[without any technical details]: 21 May, 2020 20:02 GMT